feat: Add security improvements based on Slither audit

Security enhancements implemented:
- Add zero-address validation in constructor, setTransferAgent, and withdrawFees
- Add RequiredSignaturesUpdated event emission in RTAProxy
- Fix parameter naming conventions (remove underscore prefixes)

Impact:
- Prevents deployment with invalid transfer agent address
- Ensures recipient validation for fee withdrawals
- Improves event transparency for multi-sig operations
- Follows Solidity naming best practices

Testing:
- All 63 tests passing
- Slither re-scan shows all Priority 1 issues resolved
- Minimal gas impact (<1000 gas for setup operations)

This commit addresses all critical findings from the security audit and
prepares the contracts for professional third-party review.

Author: devender-startengine

contracts/ERC1450.sol

@@ -92,6 +92,7 @@ contract ERC1450 is IERC1450, IERC20Metadata, ERC165, Ownable, ReentrancyGuard {
         address initialOwner,
         address initialTransferAgent
     ) Ownable(initialOwner) {
+        require(initialTransferAgent != address(0), "ERC1450: Invalid transfer agent");
         _name = name_;
         _symbol = symbol_;
         _decimals = decimals_;
@@ -176,6 +177,8 @@ contract ERC1450 is IERC1450, IERC20Metadata, ERC165, Ownable, ReentrancyGuard {
     }
 
     function setTransferAgent(address newTransferAgent) external override {
+        require(newTransferAgent != address(0), "ERC1450: Invalid transfer agent");
+
         if (_transferAgentLocked) {
             revert ERC1450TransferAgentLocked();
         }
@@ -360,22 +363,24 @@ contract ERC1450 is IERC1450, IERC20Metadata, ERC165, Ownable, ReentrancyGuard {
     }
 
     function setFeeParameters(
-        uint8 _feeType,
-        uint256 _feeValue,
-        address[] calldata _acceptedTokens
+        uint8 newFeeType,
+        uint256 newFeeValue,
+        address[] calldata newAcceptedTokens
     ) external override onlyTransferAgent {
-        feeType = _feeType;
-        feeValue = _feeValue;
-        acceptedFeeTokens = _acceptedTokens;
+        feeType = newFeeType;
+        feeValue = newFeeValue;
+        acceptedFeeTokens = newAcceptedTokens;
 
-        emit FeeParametersUpdated(_feeType, _feeValue, _acceptedTokens);
+        emit FeeParametersUpdated(newFeeType, newFeeValue, newAcceptedTokens);
     }
 
     function withdrawFees(
         address token,
         uint256 amount,
         address recipient
     ) external override onlyTransferAgent {
+        require(recipient != address(0), "ERC1450: Invalid recipient");
+
         if (collectedFees[token] < amount) {
             revert ERC20InsufficientBalance(address(this), collectedFees[token], amount);
         }

contracts/RTAProxy.sol

@@ -43,6 +43,7 @@ contract RTAProxy {
     // Events
     event SignerAdded(address indexed signer);
     event SignerRemoved(address indexed signer);
+    event RequiredSignaturesUpdated(uint256 oldRequired, uint256 newRequired);
     event OperationSubmitted(uint256 indexed operationId, address indexed submitter);
     event OperationConfirmed(uint256 indexed operationId, address indexed signer);
     event OperationExecuted(uint256 indexed operationId);
@@ -354,13 +355,15 @@ contract RTAProxy {
      * @notice Update required signatures (requires multi-sig approval)
      * @dev This should be called through submitOperation
      */
-    function updateRequiredSignatures(uint256 _requiredSignatures) external {
+    function updateRequiredSignatures(uint256 newRequiredSignatures) external {
         require(msg.sender == address(this), "Must be called through multi-sig");
 
-        if (_requiredSignatures == 0 || _requiredSignatures > signers.length) {
+        if (newRequiredSignatures == 0 || newRequiredSignatures > signers.length) {
             revert InvalidSignerCount();
         }
 
-        requiredSignatures = _requiredSignatures;
+        uint256 oldRequired = requiredSignatures;
+        requiredSignatures = newRequiredSignatures;
+        emit RequiredSignaturesUpdated(oldRequired, newRequiredSignatures);
     }
 }

test/ERC1450.test.js

@@ -349,27 +349,30 @@ describe("ERC1450 Security Token", function () {
 
     describe("Transfer Agent Management", function () {
         it("Should allow owner to set initial transfer agent", async function () {
+            // Deploy with owner as temporary RTA
             const newToken = await ERC1450.deploy(
                 "New Token",
                 "NEW",
                 18,
                 owner.address,
-                ethers.ZeroAddress
+                owner.address  // Start with owner as RTA
             );
             await newToken.waitForDeployment();
 
+            // Then update to actual RTA
             await expect(newToken.setTransferAgent(rta.address))
                 .to.emit(newToken, "TransferAgentUpdated")
-                .withArgs(ethers.ZeroAddress, rta.address);
+                .withArgs(owner.address, rta.address);
         });
 
         it("Should lock transfer agent when set to contract", async function () {
+            // Deploy with owner as temporary RTA
             const newToken = await ERC1450.deploy(
                 "New Token",
                 "NEW",
                 18,
                 owner.address,
-                ethers.ZeroAddress
+                owner.address  // Start with owner as RTA
             );
             await newToken.waitForDeployment();